SECURI-PI: Using Raspberry Pi as a safety springboard

Guide Like many linuxjournal readers, I have also lived in today's very popular "tech nomads" life, between networks, from one access point to another, where we are in different parts of the real world and remain connected to the Internet and other networks we use on a daily basis.

Recently I have found that more and more network environments are starting to block common ports such as SMTP (port), SSH (Port 22), and so on. When you walk into a café and want to SSH into one of your servers to do something, it's annoying to find that port 22 is blocked.

However, I have so far not found any network environment will put HTTPS to the wall (port 443). After a little configuration of the Raspberry Pi 2 in my home, I managed to make myself a springboard through the 443 port of the Raspberry Pi, allowing me to connect to the desired destination port in various network environments. In short, I set the Raspberry Pi in my home to a OpenVPN endpoint and SSH endpoint, and also an Apache server, all of which are listening on port 443 so that I can limit the network services I don't want to expose.

Notes

This solution can take care of most restricted network environments, but some firewalls call deep packet checks on external traffic, and they often block out information that is transmitted in the same way as this article does. But I haven't tested it yet behind a firewall like this. At the same time, although I use a lot of cryptography-based tools (OPENVPN,HTTPS,SSH), I have not very rigorously audited this configuration scheme (LCTT: The author means that this package can help you bypass the port limit, but does not mean that your activity is completely safe). Sometimes even the DNS service will leak your information, and it will probably be missing in the corner where I have no thoughtful consideration. I strongly do not recommend this springboard configuration scenario as a foolproof way to hide network traffic, this configuration just wants to bypass some port restrictions to connect to the network, rather than do something dangerous.

Start

Let's start with what you need, I'm using Raspberry Pi 2, which is loaded with the latest version of Raspbian, but this configuration should also run on Raspberry Pi Model B; 512MB of memory is more than enough for us, although performance may not be as good as Raspberry Pi 2, after all, compared to the Quad core Raspberry Pi 2, Model B has only one single core CPU. My Raspberry Pi is placed behind the home firewall and router, so I can also use this Raspberry Pi as a springboard to access the home's other electronic devices. It also means that my traffic seems to come from my home's IP address on the Internet, so it's also a way to protect my anonymity. If you don't have a Raspberry Pi, or don't want to run the service from home, you can put this configuration on a small Cloud server (LCTT, for example, IPS). You just have to make sure that the server is running a Debian-based Linux distribution, and this guide is still available.

Figure 1 Raspberry Pi is about to become our encrypted network endpoint

Install and configure BIND

Whether you're using a Raspberry Pi or a server, you'll be able to install BIND after you've successfully launched it, a domain name service software that drives a significant portion of the Internet. You will use BIND only as a cache domain service instead of configuring it to handle domain requests from the Internet. Installing BIND will let you have a DNS server that can be used by OpenVPN. Installing BIND is simple and apt-get can be done directly:

[Email protected]:~# apt-get Install bind9reading package lists ... Donebuilding dependency treereading state information ... Donethe following extra packages would be installed:  bind9utilssuggested packages:  bind9-doc resolvconf ufwthe Following NEW packages'll be installed:  bind9 Bind9utils0 upgraded, 2 newly installed, 0 to remove and 0 not upgrade D.need to get 490 kB of archives. After this operation, 1,128 KB of additional disk space would be used. Want to continue [y/n]? Y

There are some small details that need to be configured before we use BIND as a cache name server. Two modifications are done in/etc/bind/named.conf.options. First you need to uncomment the forwarders section and add a target server that can forward the domain name request. As an example I will use Google's DNS server (8.8.8.8) (LCTT: Domestic words need to find a substitute); The forwarders section of the file looks roughly like this:

Forwarders {    8.8.8.8;};

2nd you need to make a change is to allow the query from the intranet and the local machine, directly add this line after the configuration file, remember to put in the last}; Before you can:

allow-query {192.168.1.0/24; 127.0.0.0/16;};

The above line of configuration will allow this DNS server to receive requests from the network on which it resides (in this case, my network is behind my firewall) and native. Next, you need to restart the BIND service:

[Email protected]:~#/etc/init.d/bind9 restart[...] Stopping Domain Name service ...: bind9waiting for PID 13209. ok[OK] Starting domain Name service ...: bind9.

Now you can test the nslookup to make sure your service is working properly:

[Email protected]:~# nslookup> server Localhostdefault server:localhostaddress:127.0.0.1#53> Www.google.comServer:     localhostaddress:    127.0.0.1#53non-authoritative answer:name:   Www.google.comAddress:173.194.33.176Name:   www.google.comAddress:173.194.33.177Name:   Www.google.comAddress:173.194.33.178Name:   www.google.comAddress:173.194.33.179Name:   www.google.comAddress:173.194.33.180

Perfect! Now that you have a normal domain name service in your system, the next step is to configure OpenVPN.

Installing and configuring OpenVPN

OpenVPN is an open source VPN solution that uses SSL/TLS as a key exchange. It is also very easy to deploy in a Linux environment. Configuring OpenVPN can be a bit difficult, but you don't need to make too many changes in the default Config file. First you need to run Apt-get to install OpenVPN:

[Email protected]:~# apt-get Install openvpnreading package lists ... Donebuilding dependency treereading state information ... Donethe following extra packages would be installed:  liblzo2-2 libpkcs11-helper1suggested Packages:  Resolvconfthe following NEW packages'll be installed:  liblzo2-2 libpkcs11-helper1 Openvpn0 upgraded, 3 newly install Ed, 0 to remove and 0 not upgraded. Need to get 621 KB of archives. After this operation, 1,489 KB of additional disk space would be used. Want to continue [y/n]? Y

Now that the OpenVPN is installed, you need to configure it. OpenVPN is SSL-based, and it relies on both the server side and the client's certificate to work. In order to generate these certificates, you need to configure a certificate signing (CA) on the machine. Fortunately, OpenVPN in the installation with some scripts for generating certificates such as "Easy-rsa" to help you speed up the process. You will create a file directory to place the Easy-rsa script, copied from the template directory:

[Email protected]:~# mkdir/etc/openvpn/easy-rsa[email protected]:~# Cp-rpv/usr/share/doc/openvpn/examples/easy-rsa /2.0/*/etc/openvpn/easy-rsa/

Next, copy the VARs file to a backup:

[Email protected]:/etc/openvpn/easy-rsa# cp VARs Vars.bak

Next, edit the VARs to make the information fit in your state. I will use the information I need to edit as an example:

key_size=4096key_country= "US" key_province= "CA" key_city= "Silicon Valley" key_org= "Linux Journal" key_email= "[EMAIL Protected] "

The next step is to import (source) The environment variables in the VARs so that the system can treat the information as an environment variable:

[Email protected]:/etc/openvpn/easy-rsa# source/varsnote:if You run/clean-all, I'll be doing a rm-rf on/etc/openv Pn/easy-rsa/keys

Build CA (certificate issued)

Next you need to run the Clean-all to make sure there is a clean system working environment, and then you will have to do the certificate issuance. Notice that I modified some of the Changeme's suggested modifications to match the installation I needed:

[email protected]:/etc/openvpn/easy-rsa#./clean-all[email protected]:/etc/openvpn/easy-rsa#./ Build-cagenerating a 4096 bit RSA private key...................................................++  ..... ++writing new private key to ' ca.key '-----You is about-to is asked to, ..... ........... ..... .................. Enter information Thatwill be incorporated to your certificate request. What's about-to-enter is called adistinguished Name or a DN. There is quite a few fields but can leave Someblank. For some field there would be a default value,if your enter '. ', the fields would be a left blank.-----Country Name (2 letter C ODE) [Us]:state or province name (full name) [ca]:locality name (eg, city) [Silicon valley]:organization name (eg, company ) [Linux journal]:organizational Unit name (eg, section) [Changeme]:secteamcommon name (eg, your name or your server ' s hos Tname [Changeme]:test.linuxjournal.comname [Changeme]:test.linuxjournal.comemail Address [EMAIL PROtected]]: 

generate a server-side certificate

Once the CA has been created, you can then generate the client's OpenVPN certificate:

[email protected]:/etc/openvpn/easy-rsa#./build-key-server test.linuxjournal.comGenerating a 4096 bit RSA Private key...................................................++writing new private key to ' Test.linuxjournal.com.key '-----You is about to being asked to enter information Thatwill is incorporated into your Certifica Te request. What's about-to-enter is called adistinguished Name or a DN. There is quite a few fields but can leave Someblank. For some field there would be a default value,if your enter '. ', the fields would be a left blank.-----Country Name (2 letter C ODE) [Us]:state or province name (full name) [ca]:locality name (eg, city) [Silicon valley]:organization name (eg, company ) [Linux journal]:organizational Unit name (eg, section) [Changeme]:secteamcommon name (eg, your name or your server ' s hos Tname) [Test.linuxjournal.com]:name [Changeme]:test.linuxjournal.comemail Address [[email protected]]:P lease Enter the following ' extra ' attributesto be sent WITh your certificate requesta challenge password []:an optional company name []:using configuration from/etc/openvpn/easy- Rsa/openssl-1.0.0.cnfcheck that the request matches the Signaturesignature okthe Subject ' s distinguished Name is as follow Scountryname:P rintable: ' US ' stateorprovincename:P rintable: ' CA ' localityname:P rintable: ' Silicon Valle Y ' OrganizationName:P rintable: ' Linux Journal ' organizationalunitname:printable: ' Secteam ' commonname:P rintab LE: ' test.linuxjournal.com ' name:P rintable: ' test.linuxjournal.com ' emailaddress:ia5string: ' [email  protected] ' Certificate is-be-certified until SEP 1 06:23:59 2025 GMT (3650 days) sign the Certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entries

The next step is to use some time to generate the Diffie-hellman key required by the OpenVPN server. This step will take a few minutes on a typical desktop-level CPU, but on an ARM-architected Raspberry Pi, it will be a super-long time. Be patient, as long as the points on the terminal are still jumping, then everything is running in step-by-step (The following example omits a few points):

[Email protected]:/etc/openvpn/easy-rsa#/build-dhgenerating DH parameters, 4096 bit long safe prime,? Generator 2This is Going to take a long time....................................................+< omitted a lot of points >

generate a client certificate

Now you want to generate the key that the client uses to log on to OpenVPN. Generally speaking, OpenVPN is configured to use certificate authentication encryption, in which the client needs to hold a certificate issued by the server:

[email protected]:/etc/openvpn/easy-rsa#./build-key bills-computergenerating a 4096 bit RSA private key  .... ++...................................................++writing. ................ .....??????????????... New private key to ' bills-computer.key '-----Your is about to is asked to enter information Thatwill is incorporated into Your certificate request. What's about-to-enter is called adistinguished Name or a DN. There is quite a fewfields but you can leave some blank. For some field there would be a default value,if your enter '. ', the fields would be a left blank.-----Country Name (2 letter C ODE) [Us]:state or province name (full name) [ca]:locality name (eg, city) [Silicon valley]:organization name (eg, company ) [Linux journal]:organizational Unit name (eg, section) [Changeme]:secteamcommon name (eg, your name or your server ' s hos Tname) [Bills-computer]:name [Changeme]:bills-computeremail Address [[email protected]]:P lease Enter the Following ' Extra ' AttriButesto be sent with your certificate Requesta challenge password []:an optional company name []:using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnfcheck that the request matches the Signaturesignature okthe Subject ' s          Distinguished Name is as Followscountryname:P rintable: ' US ' stateorprovincename:P rintable: ' CA ' localityname :P rintable: ' Silicon Valley ' OrganizationName:P rintable: ' Linux Journal ' organizationalunitname:printable: ' Secteam ' CommonName:P rintable: ' bills-computer ' name:P rintable: ' Bills-computer ' EmailAddress: IA5String: ' [email protected] ' Certificate is-be certified until SEP 1 07:35:07 2025 GMT (3650 days) sign the Certif Icate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[email protected]:/etc/openvpn/easy-rsa#

Now you need to regenerate into an HMAC code as a shared key to further increase the security provided by the entire encryption:

[Email protected]:~# OpenVPN--genkey--secret/etc/openvpn/easy-rsa/keys/ta.key

Configure the server

Finally, it's time to configure the OpenVPN service. You need to create a/etc/openvpn/server.conf file that can be solved in most places in this configuration file. The main change in setting up the OpenVPN service is to make it use only TCP instead of UDP links. This is required for the next step---if it is not a TCP connection then your service will not work on port 443. Create the/etc/openvpn/server.conf and drop the following configuration in:

Port 1194proto Tcpdev Tunca easy-rsa/keys/ca.crtcert easy-rsa/keys/test.linuxjournal.com.crt # # or whatever your hostname Waskey Easy-rsa/keys/test.linuxjournal.com.key  # # hostname key-this file should be kept secretmanagement lo Calhost 7505dh easy-rsa/keys/dh4096.pemtls-auth/etc/openvpn/certs/ta.key 0server 10.8.0.0 255.255.255.0 # the server Would use this subnet for clients connecting to Itifconfig-pool-persist Ipp.txtpush "Redirect-gateway def1 bypass-dhcp" # F Orces clients to redirect all traffic through the Vpnpush "Dhcp-option DNS 192.168.1.1" # tells the client to use the DNS Server at 192.168.1.1-Dns-replace with the IP address of the OpenVPN machine and clients would use the BIND server SE Tup earlierkeepalive 240comp-lzo # Enable Compressionpersist-keypersist-tunstatus Openvpn-status.logverb 3

Finally, you will need to enable IP forwarding on the server, configure OpenVPN to boot up, and start the OpenVPN service immediately:

[Email protected]:/etc/openvpn/easy-rsa/keys# echo "Net.ipv4.ip_forward = 1" >>/etc/sysctl.conf[email protected ]:/etc/openvpn/easy-rsa/keys# sysctl-p/etc/sysctl.confnet.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_wmem = 10240 87380 12582912net.core.wmem_max = 12582912net.core.rmem_max = 12582912net.ipv4.tcp_rmem = 10240 87380 12582912net.ipv4.tcp_ Wmem = 10240 87380 12582912net.ipv4.ip_forward = 0net.ipv4.ip_forward = 1[email protected]:/etc/openvpn/easy-rsa/keys# Update-rc.d OpenVPN defaultsupdate-rc.d:using dependency based boot Sequencing[email Protected]:/etc/openvpn/easy-rsa /keys#/etc/init.d/openvpn start[OK] starting virtual private network daemon:.

Configuring the OpenVPN client

The installation of the client depends on the client's operating system, but you need to copy the previously generated certificate and key to your client and import your OpenVPN client and create a new configuration file. OpenVPN clients under each operating system are slightly different in their operation, which is beyond the scope of this article, so you might want to check out the OpenVPN documentation for specific operating systems for more information. Please refer to the Resources section in this document.

Install sslh--"Magic" multi-protocol switch tool

The most interesting part of the solution presented in this article is the use of SSLH. SSLH is a multi-protocol tool-it can listen for 443-port traffic, and then analyze whether they are SSH,HTTPS or OpenVPN communication packets and forward them to the correct system service separately. That's why this solution allows you to bypass most port blocking-you can always use HTTPS communication because it's almost never blocked.

Similarly, direct Apt-get installation:

 [email protected]:/etc/openvpn/easy-rsa/keys# apt-get install sslhreading package lists ... Donebuilding dependency treereading state information ... Donethe following extra packages would be installed:apache2 apache2-mpm-worker apache2-utils apache2.2-bin Apache2.2-comm On Libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libconfig9suggested Packages:apache2-doc  Apache2-suexec apache2-suexec-custom openbsd-inetd inet-superserverthe following NEW packages would be installed:apache2 Apache2-mpm-worker apache2-utils apache2.2-bin Apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 Libaprutil1-ldap libconfig9 Sslh0 upgraded, one newly installed, 0 to remove and 0 not upgraded. Need to get 1,568 KB of archives. After this operation, 5,822 KB of additional disk space would be used. Want to continue [y/n]? Y 

After the SSLH is installed, the Package Manager asks whether to allow it in inetd or standalone mode. Choose Standalone mode, because you want SSLH to run in its own process. If you do not install the APACHE,APT Package Manager will automatically help you to download and install, although it is not completely indispensable. If you already have Apache, you need to make sure it listens to only the localhost port and not all the ports (otherwise SSLH will not work because the 443 port is already occupied by Apache snooping). After installation, you will see an error message that resembles the following:

[....] Starting ssl/ssh MULTIPLEXER:SSLHSSLH Disabled, please adjust the configuration to your Needs[fail] and then set RUN to ' Yes ' IN/ETC/DEFAULT/SSLH to enable it. ... failed!failed!

This is not an error message, but it is normal for SSLH to remind you that it has not been configured so it cannot be started. Configuring the SSLH is relatively straightforward. Its config file is placed in/ETC/DEFAULT/SSLH, you only need to modify the RUN and daemon_opts variables on it. My SSLH configuration file is as follows:

# Default options for SSLH initscript# sourced by/etc/init.d/sslh# Disabled by Default, to force yourself# to read the CO nfiguration:#-/usr/share/doc/sslh/readme. Debian (Quick Start) #-/usr/share/doc/sslh/readme, at "Configuration" section#-SSLH (8) via ' Man Sslh ' for more Configur ation details.# Once configuration ready, you *must* set RUN to Yes here# and try to start SSLH (standalone mode only) run= yes# binary to use:forked (SSLH) or Single-thread (sslh-select) versiondaemon=/usr/sbin/sslhdaemon_opts= "--user SSLH--l Isten 0.0.0.0:443--ssh 127.0.0.1:22--ssl 127.0.0.1:443--openvpn 127.0.0.1:1194--pidfile/var/run/sslh/sslh.pid "

Save your edits and start SSLH:

[Email protected]:/etc/openvpn/easy-rsa/keys#/etc/init.d/sslh start[OK] starting ssl/ssh MULTIPLEXER:SSLH.

Now you should be able to ssh from port 443 to your Raspberry Pi, it will correctly use SSLH forwarding:

$ ssh-p 443 [email protected]roo[email protected]:~#

SSLH now listens on port 443 and can forward traffic information to SSH, Apache, or OpenVPN, depending on the type of arrival traffic packet. The system is now ready for the pack!

Conclusion

Now you can start OpenVPN and configure your client to connect to port 443 on the server, and then SSLH will forward traffic from there to port 1194 on the server. But since you are communicating with the server's 443 port, your VPN traffic will not be blocked. Now you can sit comfortably in a coffee shop in a strange town and navigate the Internet through the OpenVPN of your Raspberry Pi. You also add some security to your links, and this extra effect will make your links more secure and private. Enjoy surfing the Internet through a safety springboard!

Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/

SECURI-PI: Using Raspberry Pi as a safety springboard